Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1694875 - Chance for abuse of sudo using "scl" command
Summary: Chance for abuse of sudo using "scl" command
Status: NEW
Alias: None
Product: Red Hat Software Collections
Classification: Red Hat
Component: scl-utils
Version: unspecified
Hardware: x86_64
OS: Linux
Target Milestone: alpha
: 3.3
Assignee: Joe Orton
QA Contact: BaseOS QE - Apps
Depends On:
TreeView+ depends on / blocked
Reported: 2019-04-01 22:06 UTC by tepi
Modified: 2019-04-01 22:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)
Diff file to show what i added to patch the aforementioned bug (deleted)
2019-04-01 22:06 UTC, tepi
no flags Details

Description tepi 2019-04-01 22:06:27 UTC
Created attachment 1550780 [details]
Diff file to show what i added to patch the aforementioned bug

Description of problem:
I recently found an issue with the current version of scl-utils which
enables privilege escalation, namely the "scl" command.

If a user runs "sudo scl enable rh-ruby25 bash" for instance it drops
into a root shell which is pretty bad/good depending on which side of
the fence you're on lol. So I was able to integrate a patch on my host
that fixes the problem and doesn't spawn a new root shell. The problem
came when parsing arguments in the 'args.c' file mainly lines 331-359.

Version-Release number of selected component (if applicable):

How reproducible:
Easily reproducible

Steps to Reproduce:
1. sudo scl enable rh-ruby25 bash
2. whoami;id

Actual results:

A persistent shell as root.

Expected results:

Return to shell of user who called sudo, or to fail on double sudo.

Additional info:

I have already written a patch for it that drops privileges back down to the sudoer stopping the attacker from gaining access to the root user.

Note You need to log in before you can comment on or make changes to this bug.